No safe haven: the global Secret Service hunt for three hackers

Dave & Buster's store #32 in Islandia, New York—a restaurant and electronic funhouse for adults—seemed an unlikely target for an international credit card theft ring. Certainly no patron drinking beer and shooting miniature basketballs into a miniature hoop expected their credit card data to end up inside an encrypted Latvian server, waiting to be sold off to international criminals who would ring up more than $600,000 in charges on the cards. But that was because no patron knew anything about the Estonian hacker Aleksandr "JonnyHell" Suvorov.

On May 18, 2007, Suvorov electronically entered the point of sale (POS) server at store #32. Every Dave & Buster's has a POS server, which vacuums up all the credit card data collected by each store's credit card swipe terminals and relays it upstream to a payment processor for verification and approval of the transaction. With full access to the server, Suvorov had no trouble installing a customized bit of code called a packet sniffer, and the program promptly turned its digital nose upon all traffic flowing into and out of the server. The sniffer used this privileged position to find and extract from the data stream the key "track 2" data—numbers and expiration dates, but not names—from every credit card used in store #32, saving it to a local file creatively named "log" for later retrieval.

Suvorov didn't hack his way in, exactly—he actually had the proper credentials for the POS server. He had obtained them by hacking a bit further up the credit card food chain and breaking into servers run by Micros, maker of the POS system used at Dave & Buster's. Inside the Micros system, Suvorov had found a file which he hoped would make him rich: it contained access information for POS systems deployed at Micros client locations, including Dave & Buster's.

Even with easy access to Dave & Buster's POS servers, Suvorov ran into difficulties; the sniffer, it turned out, was not a perfect piece of code. The sniffer had come from a young Miami man, Albert Gonzalez, who was at the time running one of the largest commercial hacking crews in US history. Gonzalez provided a sniffer that he had used for other jobs, and Suvorov first deployed it in a test run at the Dave & Buster's location down the Eastern seaboard in Arundel, Maryland. It failed to capture any track 2 data at all. After getting the code fixed, Suvorov tried again and expanded to 11 Dave & Buster's in May 2007—including store #32.

This time, the sniffer worked, grabbing credit card data as intended, but it now showed another flaw: it failed to restart itself any time the POS server rebooted. Fixing the problem appears to have been too much trouble for Suvorov. Instead, he simply logged into the Dave & Buster's POS servers every few months, grabbed the existing "log" files, and moved them to an encrypted Latvian server. Then he manually restarted his sniffer.

By September, Suvorov had collected nearly 5,000 credit cards from store #32 alone—and many thousands of more card details from the other stores. He compiled the card numbers into a database and sold his list for $25,000. Easy profit.

Suvorov hailed from Sillamäe, a small resort town of just 16,000 on the northeastern border of Estonia. Only 23 years old, he had never been to college, but who needed college when profits could be had so easily? Suvorov was already a veteran at running card numbers. He had partnered with a Ukrainian named Maksym "Maksik" Yastremskiy, and the two became highly specialized middlemen: they bought up databases of stolen credit card numbers from people like Gonzalez for a few thousand dollars apiece, then found buyers before the numbers became useless. In later 2006, for instance, Suvorov and Yastremskiy tried to sell a list of 160,000 credit card numbers to a San Diego man who had approached them through the Internet's darker back alleys. In the end, the man only had the cash to buy 6,798 credit card details—for which Suvorov and Yastremskiy charged him $10,000.

The pair had done well for themselves; Yastremskiy alone was alleged to have earned $11 million in revenue from his card-fencing activities. But by virtue of doing well, they attracted the attention of some people they must have thought could never reach them: the US Secret Service. And the Secret Service was very interested. The agency had been running a three-year undercover operation called "Carder Kaos" to bag people like Gonzalez, Suvorov, and Yastremskiy, whose hacking and fencing had achieved record levels of US-based fraud. For instance, who was that San Diego man who paid $10,000 for the card numbers? A Secret Service agent.

Had Suvorov known about the pursuit, he might have considered a move to Russia, whose border was only a few miles from Sillamäe. (The Russian Constitution forbids the extradition of its citizens). But, flush with his earnings, Suvorov indulged in a March 2008 vacation to Indonesia, with a stopover in Germany. He was promptly arrested in Frankfurt by the German Federal Police acting on a US warrant.

Suvorov spent much of 2008 in a German jail, awaiting an extradition hearing, and he might well have spent his nights pondering just how many US government resources had been expended to track him down: Secret Service investigations, undercover agents, federal lawsuits, international warrants, extradition requests. But government resources go far deeper still, as his co-conspirator Yastremskiy found out the hard way.

A little "sneak-and-peek"

In 2006, the year before the Dave & Buster's break-ins began, a Secret Service team was already on Yastremskiy's tail, and they weren't about to let a little geography stop them. In June 2006 agents arrived in Dubai, where the peripatetic Yastremskiy had traveled. Yastremskiy himself was not the team's immediate goal—at the moment, they wanted only his Lamborghini-branded PC with a Cyrillic/English keyboard. On June 14, the Secret Service accompanied United Arab Emirates officials on what the US government would later call a "sneak-and-peek search" of Yastremskiy's hotel room.

Waiting until Yastremskiy was out, the team accessed his room and imaged his laptop's hard drive. The main contents of the drive were encrypted, however, hidden inside a container called "New PGP Disk1.pgd." The agents left with their disk image, restoring the laptop to the room and leaving no trace of their presence. They couldn't immediately make use of the encrypted image, but who knew what secrets it might spill down the road?

"The medical reports clearly state that no signs of physical harm have been detected on his body."

The investigation continued. Yastremskiy continued his work with Suvorov. The men sold their $10,000 in credit card numbers to an undercover agent, but the US government took no action. In 2007, apparently fed up with simply purchasing credit card numbers from hackers, Yastremskiy and Suvorov decided to acquire them more directly and the Dave & Buster's break-ins became their latest endeavor. As the group began exfiltrating the card data for sale, the Secret Service investigation had a reached a point at which the agency was ready to act. They obtained a provisional arrest warrant from a federal judge in southern California and took it to the Turkish National Police (TNP), since Yastremskiy had left Dubai for a visit to Turkey.

The TNP was happy to help. Secret Service agents arrived in Antalya, Turkey during late July 2007 and followed a protocol much like the one from Dubai. On July 25, TNP officials entered Yastremskiy's hotel room when he was out and snatched the Lamborghini computer, again. They took it across the hall to another room in which the Secret Service team waited. This time, instead of making a complete image, the agents opened the machine and snapped photos of its login screen, which displayed the username "Mars"—everything appeared identical to the machine they had "sneaked-and-peeked" at back in Dubai.

The next day, the TNP arrested Yastremskiy on the US warrant. What was Yastremskiy doing in Turkey in the first place? Secret Service agents had arranged the meeting there, convincing Yastremskiy they wanted to make a big buy.

But rather than extradite Yastremskiy, the Turks discovered an interest in his fraudulent ways and decided to prosecute him locally. (He had apparently gone after many Turkish banks.) This meant the existence of two parallel investigations into the man's activities, and that meant two parallel attempts to break into his laptop. On July 30, a TNP forensic examiner back in Ankara provided the Secret Service with a complete image of the laptop's hard drive—again, mostly made up of an encrypted volume—and each side went to work.

The Turks physically had Yastremskiy, so they decided to see if he might simply tell them the password—and he did, just days after his arrest. Why? Suvorov's lawyers would later claim darkly that the entire episode surrounding Yastremskiy's password revelation "shocked the conscience"—but this was speculation. US lawyers offered no opinion about why Yastremskiy had revealed his password except to note that US defendants also did so, usually as a way to reduce criminal sentences.

But security researcher Chris Soghoian talked to four people who listened to a private presentation by Howard Cox, a Department of Justice official, back in 2008. Cox allegedly joked that leaving a suspect alone with Turkish police for a week might be a good way to get them to reveal a password. The Turkish Embassy to the US eventually responded, saying that "Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body."

However they acquired the 17-character password, the Turks and Americans took very different approaches to using it. The Americans went through a detailed forensic process on the drive image, with Secret Service Agent Stuart Van Buren needing an entire month "to undertake a lengthy and difficult process to make the Yastremskiy Image readable and searchable," due to the encryption.

The Turks simply turned on Yastremskiy's laptop and entered the password, then began viewing files. (Forensically, this might create all sorts of problems by altering "last accessed" dates and opening the entire laptop's evidence to charges that material had been planted). US lawyers were later diplomatic about the differences, calling it "a different approach than the USSS may have used." Yastremskiy's computer evidence eventually pointed to both Suvorov and Gonzalez as co-conspirators.

Despite a US extradition request, Yastremskiy was charged with a host of violations of Turkish law and sentenced to 30 years in prison there—where he remains today.

108 Reader Comments

does it occur to anyone that maybe credit card companies should switch to some new method of validating charges, rather than ~72 bits of unencrypted, nonchanging, human readable digits that anyone can copy.

They obtained a provisional arrest warrant from a federal judge in southern California and took it to the Turkish National Police (TNP), since Yastremskiy had left Dubai for a visit to Turkey.

TNP accepting an American judge's warrant. Interesting.

Quote:

One problem with the approach: the team still had to sit in cars right outside Marshall's to collect the data. This was bound to look suspicious over time...

Should have dressed up like a Google car.

Quote:

... Gonzalez had his team install VPN access to the Marshall's network so that they could access it from anywhere.

Today's Ars story gives that a touch of irony.

Quote:

Gonzalez's lawyer backed off the Asperger's defense a bit, but did make an eloquent pitch for his client. While Gonzalez committed crimes, the lawyer argued, he didn't—say—bring down the world financial system.

Ouch! That gotta hurt. Didn't get him off, but still.

Quote:

The government used his sentence to make one major point to criminals: the "borderless" Internet won't save you from prosecution.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

does it occur to anyone that maybe credit card companies should switch to some new method of validating charges, rather than ~72 bits of unencrypted, nonchanging, human readable digits that anyone can copy.

The US card industry is moving to the EMV system which should improve the situation some what.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

You know what!? I'm actually kind of mad about that! Here, this guy happens to rip of millions from credit card consumers....he gets thrown under the jail...yet the corporate CEOs get a pass. How does this work? I'm becoming more an more convinced that the government is working for corporate interest.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

wow, very interesting article, thanks Nate! It's 2am and I should be asleep and I thought, I'll just quickly check and see if any new tech news has popped up before going to bed. Usually I just skim the headlines and then go to sleep but after reading the first few lines, you got me hooked and I just had to read the whole thing! Okay I'm really going to bed now!

The same reason physical trespassing is illegal. It's private property, whether it's physical or virtual. Might as well ask why it's illegal for someone to just stroll into your house if you leave the door unlocked.

I hate the private sector. These cheap asses do as little as possible to secure your data. We need more government regulations on credit card data processing. After all, the justice department doesn't work for free.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

You know what!? I'm actually kind of mad about that! Here, this guy happens to rip of millions from credit card consumers....he gets thrown under the jail...yet the corporate CEOs get a pass. How does this work? I'm becoming more an more convinced that the government is working for corporate interest.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

That is quite a horrible idea, even if companies spent half their budget on a new system someone with enough time on their hands will find a way in if they really want. Do you really want people stealing emails, passwords, CC numbers, etc. with no repercussions if caught?

Great article, thanks. Reminds me of 'Takedown' which I read many many years ago on a local bulletin board

Must say though, 20 years and $69m in damages for Gonzalez seems steep - I wonder how harsh the punishment would have been if he hadn't been an informant? Having not lived in the US (only in Australia, NZ and Europe), the US criminal system seems very punitive.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

You know what!? I'm actually kind of mad about that! Here, this guy happens to rip of millions from credit card consumers....he gets thrown under the jail...yet the corporate CEOs get a pass. How does this work? I'm becoming more an more convinced that the government is working for corporate interest.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

That is quite a horrible idea, even if companies spent half their budget on a new system someone with enough time on their hands will find a way in if they really want. Do you really want people stealing emails, passwords, CC numbers, etc. with no repercussions if caught?

You can make the "if-determined-then-successful-hack" argument in a number of situations. Although my solution is a bit extreme, we need knew thinking. Why isn't hacking carried out by and individual against and organization a civil matter. Detect them, identify them, sue them. Instead we have the cost of hunting down these individuals being shifted onto tax payers. I've never shopped at TJ Max...why the fuck should I have to pay for an investigation because they were hacked?

He tried to blame Asperger's for committing a crime? One of the "features" of people with Asperger's is that they have a strong social conscience (although not apparently strong enough in this case). Don't try saying Asperger's creates criminals, thanks all the same Gonzalez!

Doesn't every major credit card come with a zero liability policy? Ultimately, the victims are not the "thousand" american cardholders, but a few billionaires who lost some pocket money. (I am not trying to justify stealing, but I think the damage to american citizens if far less that what we are led to believe).

The statement of the defense definitely resonated with me. I'd also like to see our banking CEOs and hedge fund managers spend 30 years in a Turkish prison. They didn't see a day in the slammer but hurt average citizens far more than Gonzalez ever did or could.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

You know what!? I'm actually kind of mad about that! Here, this guy happens to rip of millions from credit card consumers....he gets thrown under the jail...yet the corporate CEOs get a pass. How does this work? I'm becoming more an more convinced that the government is working for corporate interest.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

That is quite a horrible idea, even if companies spent half their budget on a new system someone with enough time on their hands will find a way in if they really want. Do you really want people stealing emails, passwords, CC numbers, etc. with no repercussions if caught?

You can make the "if-determined-then-successful-hack" argument in a number of situations. Although my solution is a bit extreme, we need knew thinking. Why isn't hacking carried out by and individual against and organization a civil matter. Detect them, identify them, sue them. Instead we have the cost of hunting down these individuals being shifted onto tax payers. I've never shopped at TJ Max...why the fuck should I have to pay for an investigation because they were hacked?

ArmanUV wrote:Doesn't every major credit card come with a zero liability policy? Ultimately, the victims are not the "thousand" american cardholders, but a few billionaires who lost some pocket money.(I am not trying to justify stealing, but I think the damage to american citizens if far less that what we are led to believe).

The usual deal is that you have to report the theft (credit card charge) within 30 days. Otherwise you (the consumer) gets to eat the bill. If you report before 30 days are up, the first $50 loss is the customer's.

Debit cards (often used instead of a credit card) have to be reported in 3 days. Usually the first $500 or $1000 on the debit card is the customer's liability and then the bank covers from there to the spending limit on the debit card, anything after that is the customer's. If the card's PIN is used, all bets are off. The customer gets to eat the entire loss. Debit cards suck for this reason alone.

Problem is that 3 days is too short an interval if you're out on a vacation.

Doesn't every major credit card come with a zero liability policy? Ultimately, the victims are not the "thousand" american cardholders, but a few billionaires who lost some pocket money. (I am not trying to justify stealing, but I think the damage to american citizens if far less that what we are led to believe).

Actually, it's the customers of the card issuer - you think the corporation itself eats those losses? Hell, no. It's more fees, higher interest, etc. Pretty well above all else, nothing touches the compensation of executives in a negative way. Until they hose it so badly they get canned...with a multi-million dollar golden parachute.

Well, and every American citizen - I can only imagine how many millions were spent on this. How about we make it like riding in an ambulance? That is, the Secret Service, et al, conduct the investigation, bring down the bad guys, then hand a bill to TJ Maxx, Dave & Buster's, Micros, etc. That's how the corporations will learn not to half-ass their security.

And imagine what a punch in the balls it would be if, in the whats-it filing with the SEC, TJ Maxx reports millions in charges owed to the Secret Service because their IT people didn't actually care enough to make sure the network was secure. And never audited to make sure there wasn't any suspicious traffic.

Why isn't hacking carried out by and individual against and organization a civil matter. Detect them, identify them, sue them. Instead we have the cost of hunting down these individuals being shifted onto tax payers. I've never shopped at TJ Max...why the fuck should I have to pay for an investigation because they were hacked?

Does anyone else find it unsettling that US police operate in foreign countries? Would USians feel comfortable with foreign police operating in the US?

These Federal Agencies don't operate overseas like they do in the US, they usually have liaison with the national police forces overseas. When the article says the Secret Service has agents in Latvia for instance, it does not mean these agents have carte blanche to use Latvian resources, rather these agents will work with the Latvian police forces to acheve their goal.

It works the other way as well, overseas forces can request US aid in their investigations.

But to join in the choir: Nate, another excellent write-up, good work.

So, what I'm seeing here is that if you attack credit card processors and retailers the U.S. government will spend years tracking your activity and building a bullet proof case against you in court. If you go after Hollywood, they'll kick down your door in a foreign country, take everything you own, stymie every attempt to defend yourself, and deliberately keep you from looking at whatever evidence they might have collected.

And if you rip off American taxpayers to the tune of trillions and lie to Congress under oath, they do nothing because you're a piss-down job creator.

You know what!? I'm actually kind of mad about that! Here, this guy happens to rip of millions from credit card consumers....he gets thrown under the jail...yet the corporate CEOs get a pass. How does this work? I'm becoming more an more convinced that the government is working for corporate interest.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

That is quite a horrible idea, even if companies spent half their budget on a new system someone with enough time on their hands will find a way in if they really want. Do you really want people stealing emails, passwords, CC numbers, etc. with no repercussions if caught?

You can make the "if-determined-then-successful-hack" argument in a number of situations. Although my solution is a bit extreme, we need knew thinking. Why isn't hacking carried out by and individual against and organization a civil matter. Detect them, identify them, sue them. Instead we have the cost of hunting down these individuals being shifted onto tax payers. I've never shopped at TJ Max...why the fuck should I have to pay for an investigation because they were hacked?

Ditto. Everyone pays the price for these credit card security failures. The government needs to set up best practices. If you don't follow the best practices, don't expect the government to hunt down your hacker.

I use the "football" for ebay and paypal. (The football is a pseudo random number generator device. It generates a 6 digit code you use in addition to your password.) At least ebay and paypal are making an effort at providing secuirty. Since most credit card fraud is online, I wouldn't mind having to use the football for all online purchases.

Incidentally, I got hacked last week. Since I'm in the US, it didn't take the credit card fraud department to figure out I'm not making purchases in Eurpoe.

As a side note, why is hacking illegal anyway? If companies spent more time securing their networks/code, it'd be much more difficult to penetrate. If hacking were legal, companies would have a greater incentive to do so. Instead, companies implement "good enough" security practices, then get the NSA and Fed to detect and eliminate threads, respectively....

That's not a very thought-out statement. You could argue the same to make mugging legal, because it'll incite people to work on their shape and self-defence. You can't argue that it would be good to alleviate the NSA and Fed from their workload either, because this is pretty much exactly what they're for.

That said, this entire event could serve as a wake-up call for companies with bad security practices such as unencrypted wi-fi, because it demonstrates that the results can be catastrophic.

So Gonzales gets 20 years in jail, forfeits all his gains from his crimes and he has to pay $70m to the "victims" (who are really the banks and insurance companies who reimburse the card owners). That does not seem like justice to me.

Edit: I take the point of the rising fees, and perhaps not reporting in time, but you don't think the $70m actually goes to the card owners, do you? That is, if they can get him to pay in the first place...

Many thanks for a great article. One thing about the write-up nags at me though: "In the end, Marshall's corporate parent TJX claimed to suffer $200 million in losses and expenses from the hacks. " -- this claim, as it stands -- seems completely unsubstantiated. Now, I realize it's TJX that make the claim -- but without some kind of breakdown of that very high number -- it adds very little to the article IMNHO.

200 MUSD translates to *a lot* of work hours, very much increased insurance premiums and whatever else might hide behind that number. And how much of that is related to plain negligence on TJX' part?

It bothers me to see such numbers thrown around in cases involving hacking and copyright/licence infringement, without any reasonable substantiation. Too often when it comes to hacking, a large part of such numbers turns out to be "actually installing the IT-infrastructure that we should have installed when we started doing business, but were too cheap to bother with, customer data be damned.".

It's a little like saying it's the burglar's fault you had to actually purchase a lock for your front door after being robbed. Or even install a door in the first place.

does it occur to anyone that maybe credit card companies should switch to some new method of validating charges, rather than ~72 bits of unencrypted, nonchanging, human readable digits that anyone can copy.

Yes, it occurred to me a long time ago. Force them to switch to better encryption on these transactions, at least 512-bit.